General
-
Target
78d75669390e4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb0.bin.sample
-
Size
1.0MB
-
Sample
241112-t3m7dswhln
-
MD5
436c014614477e79696e838d6b605f4e
-
SHA1
8951e54fabdd4d8e424573e53a51e309203f6f41
-
SHA256
78d75669390e4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb0
-
SHA512
f3952b167c9177aafc302daea98cc6f48f27d7df3efdef3ed4c27603a375a9547d46f465900d9abb6f2e618cd50f4d0f295a4d2920b37f54130037073efc77b4
-
SSDEEP
12288:Vpp+QIEmDzuImC01vbUE98pik+2i1NkshdMMK+AX99etq2dTdJf:Vpp+Q+u5bUI8pij1NkshdMf99etb5P
Static task
static1
Behavioral task
behavioral1
Sample
78d75669390e4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb0.bin.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
78d75669390e4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb0.bin.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\akira_readme.txt
akira
https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion
https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion
Targets
-
-
Target
78d75669390e4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb0.bin.sample
-
Size
1.0MB
-
MD5
436c014614477e79696e838d6b605f4e
-
SHA1
8951e54fabdd4d8e424573e53a51e309203f6f41
-
SHA256
78d75669390e4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb0
-
SHA512
f3952b167c9177aafc302daea98cc6f48f27d7df3efdef3ed4c27603a375a9547d46f465900d9abb6f2e618cd50f4d0f295a4d2920b37f54130037073efc77b4
-
SSDEEP
12288:Vpp+QIEmDzuImC01vbUE98pik+2i1NkshdMMK+AX99etq2dTdJf:Vpp+Q+u5bUI8pij1NkshdMf99etb5P
-
Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
-
Akira family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Renames multiple (8627) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell
Run Powershell command to delete shadowcopy.
-
Drops startup file
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-